NAT
NAT rules are in a separate rulebase than the security policies. **A security policy must also be configured to allow the NAT traffic. **Security policy match will be based on post-NAT zone and the pre-NAT ip address. *Palo Alto firewall can perform source address translation and destination address translation. Virtual Wire *NAT is supported on Vwire interfaces. *Recommened to translate the source address to a different subnet than the one on which the neighboring devices are communicating. **Proxy ARP is not supported on vwires and so neighboring devices will only be able to resolve ARP requests for IP addresses that reside on the interface of the device on the other end of the vwire. Source NAT = inside -> out Destination NAT '''= Outside -> in '''UTurn NAT = Inside -> Inside 'Determining Zone Configuration:' *Must be configured to use the zone associated with Pre-NAT ip addresses **EX: translating incoming traffic to an internal server (which is reached via a public IP by internet users), configure the NAT policy using the zone in which the public IP address resides. The source and destination zones will be the same. **EX: translating outgoing host traffic to a public IP address, configure the NAT policy with source zone corresponding to the private IP addresses of those hosts. The pre-NAT zone is required bc this match occurs before the packet has been modified by NAT. 'SOURCE ADDRESS TRANSLATION:' Example: 192.168.15.47 = Private Network 4.2.2.2 = Server on the internet To prevent exposure of the private IP address, the NAT policy makes the traffic from the private network appear to come from ethernet1/4 interface. 'NAT TYPES:' *'Dynamic-IP-Port '(port address translation) **Multiple clients use the same public IP addresses with different source port numbers. **Allows for translation of the source IP and port numbers to: ***'interface IP' ***'IP address' ***'IP subnet ' ***'Range of IP' **'EX: 'Egress interface has a dynamically assigned IP address; if you specify the interface in the dynamic ip/port rule, NAT policy will update automatically to use any address acquired by the interface for subsequent translations. *'Dynamic-IP **1 to 1 translations. Private source addresses translate to the next available address in the specified address range. **The size of the dynamic-ip pool defines the number of the hosts that can be translated. **By default, if the source address pool is larger than the translated address pool, new IP addresses seeking translation will be blocked. ***Solution: Click the Advanced (dynamic ip/port failback) option and specify Dynamic IP/Port configs to be used as back up. *'Static IP' **1 to 1 fixed translations. **Use static IP to change the source IP address while leaving the source port unchanged. **The size of the static NAT pool must be the same as the size of the source addresses to be translated. **Bi-directional translation, The destination IP can also be translated for inbound connections. ***Common config when an internal server needs to be available on the internet. 'NAT EXAMPLES' ''> ''EX1: Going from inside trust (private address) NAT to untrust (public IP) using the untrust interface. (dynamic ip and port) ' ' Dynamic IP and Port: Traffic flowing from Trust zone to Untrust, translate the Source address to the address of the Untrust interface Policy -> NAT -> New ' *General (tab) **add Name *Original (tab) **'Source Zone: Trust **'Destination Zone': Untrust **'Source Address': Any **'Destination Address': Any *Translated Packet (tab) **Source Translated Address Translation: ***'Translation Type': Dynamic IP and Port ***'Address Type': Interface Address ***'Interface': ' ***'''IP Address: ' Once NAT policy is created, make sure there is a rule allowing the traffic. '''> EX2: Inside trust traffic to Untrust, translating the source addresses to an IP address in a specified pool. (dynamic ip) Policy -> NAT -> New *General (tab) *Original Packet (tab) **'Source Zone:' Trust **'''Destination Zone: Untrust'' **'Source Address:' ' **'''Destination Address: Any *Translated Packet (tab) **Source Address Translation: ***'Translation Type:' Dynamic IP ***'Translated Address': ' '''> EX 3: 1-to-1 Mapping. 1 Source IP address translated to 1 public IP address. (static ip) Policy -> NAT -> New *General (tab) *Original Packet (tab) **'Source Zone:' Trust **'Destination Zone:' Untrust **'Source Address:' ' **'''Destination Address: Any *Translated Packet (tab) **Source Address Translation: ***'Translation Type:' Static IP ***'Translated Address:' ' ***'''Bi-Directional: No 'DESTINATION ADDRESS TRANSLATION:' DESTINATION NAT TYPES: *'Static-IP' **Use static IP to change the destination IP address while leaving the destination port unchanged. *'Port Forwarding' **A technique wused to manage traffic through NAT policies based on destination port numbers. ***Used to map a single public IP address to multiple private servers and services. **The destination ports can stay the same or be directed to different destination ports. 'Destination NAT example:' Allowing external traffic to internal servers with public IP addresses: '' *'NAT policy': **'Original Packet''' (tab): ***add Source Zone = untrust ***Destination Zone = untrust ***Destination Address = Public address **'Translated Packet '(tab): ***Translated address = Private address Configuring internet access (with destination NAT) with 2 VSYS and a shared gateway. *https://live.paloaltonetworks.com/docs/DOC-3342 'STATIC NAT' Static NAT is commonly used to access servers behind a firewall from the outside. 'Bi-Directional NAT' Bi-Directional option is equivalent to having 2 rules:#From inside to Outside: source= Private IP, Destination = ANY, source transation = Static-ip, Translated-Address = Public IP, #From ANY (inside and outside) to outside: Source = ANY, Destination = Public IP, Destination Translation translated-address = Private IP. internal servers unable to reach each other on their public IPs with Static bi-directional NAT: *https://live.paloaltonetworks.com/docs/DOC-5682 '1 to 1 NAT' Makes systems behind a firewall and configured with private IP addresses appear to have public IP addresses. It maps one internal address to one external address. For 1-to-1 NAT, always write the rules as if they inside IP is traveling out to the internet: Original Packet: *Source IP = internal / Destination IP = any Translated Packet: *Source IP = External / Destination IP = any *Source Translation = Static IP, Bi-Directional Verify there is a security policy that allows the inbound traffic and the outbound directions. The security policy can be used to limit the traffic to specific applications. ---- 'A Single NAT policy for MULTIPLE 1-to-1 Source Translation Address': *NAT private IP addresses: 192.168.10.130 - 192.168.10.230 *Public IP addresses: 1.1.1.130 - 1.1.1.230 Create address object: *Click on Objects -> Address -> New *Input the address name *Select IP range *Input the private IP address: 192.168.10.130 - 192.168.10.230 Create the single NAT policy: *Policies ->NAT->New *select the source and destination Layer 3 zones *Select the above object as source address *Select the Source Translation and enter the public IP addresses: 1.1.1.130 - 1.1.1.230 *Select Static IP for Address Pool *Commit. 'U-Turn NAT rule' commonly used when an Internal user needs to access an internal server using a external IP address. https://live.paloaltonetworks.com/docs/DOC-1678 'No NAT rule' Leave the source and destination translation fields blank. No NAT rule can be used to exclude specific IP addresses from a range or subnet defined in another NAT rule https://live.paloaltonetworks.com/docs/DOC-1258 'COMMANDS' *''show session all filter destination'' *''show session id '' This commnad will show the NAT rule that the traffic is hitting from the specified source IP and zone *''test nat-policy-match source <172.16.7.2> destination 8.8.8.8 protocol 6 destination-port 80 from '' Understanding PAN-OS NAT: *https://live.paloaltonetworks.com/docs/DOC-1517 Source NAT Configuration video: *https://live.paloaltonetworks.com/videos/1438